Brief #140: 6K Palo Alto Firewalls Exposed, $217K Email Breach Costs, Rapid7-ARMO Deal

Welcome to the Mandos Brief: Strategic insights to help you stay ahead of threats and the market.

In this week's brief:

• Palo Alto Networks Emergency Patch: Critical DoS vulnerability allows attackers to force firewalls into maintenance mode, disabling protections entirely. Action: Patch immediately - 6,000 exposed systems are sitting ducks for coordinated attacks.
• Healthcare Email Certificate Crisis: 4% of healthcare email connections use unverifiable certificates while cloud platforms prioritize delivery over security. Risk: Your PHI transmissions may be flying blind through compromised channels without you knowing it.
• Infoblox-Axur Acquisition: Security consolidation continues as network security meets external threat disruption. Strategy: The market is rewarding platform plays over point solutions - time to evaluate your integration roadmap.

A quick note before we dive in.

Strategic Intelligence

Palo Alto Networks Patches High-Severity DoS Bug That Could Disable Firewall Protections

• CVE-2026-0227 allows unauthenticated attackers to trigger denial-of-service conditions that force next-generation firewalls running PAN-OS 10.1 or later into maintenance mode, effectively disabling firewall protections.

• The vulnerability affects firewalls and Prisma Access configurations when GlobalProtect gateway or portal is enabled, with most cloud-based instances already patched and remaining customers scheduled for upgrades.

• Security updates are available for all affected versions, while approximately 6,000 Palo Alto Networks firewalls remain exposed online according to Shadowserver tracking data.

Healthcare's Email Security Certificate Crisis Exposes Millions of PHI Messages to Risk

• Paubox analysis of 803,378 healthcare email connections found that 4% went to servers with unverifiable certificates, including expired and self-signed certificates that cannot validate server identity.

• Cloud email platforms like Microsoft 365 and Google Workspace prioritize deliverability over security by accepting invalid certificates and delivering messages anyway, creating hidden compliance gaps that organizations rarely detect.

• Up to 19 million healthcare email addresses are at risk due to certificate failures across the vendor ecosystem, with business associates using outdated mail servers that present invalid certificates while handling PHI transmissions.

Arctic Wolf Observes Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts

• Arctic Wolf detected automated attacks starting January 15, 2026, where threat actors exploited SSO vulnerabilities to create persistence accounts, modify VPN configurations, and exfiltrate firewall configurations from FortiGate devices.

• The attacks leverage malicious SSO logins using accounts like cloud-init@mail.io and cloud-noc@mail.io, followed by immediate configuration downloads and creation of secondary admin accounts within seconds, indicating automated behavior.

• This campaign appears related to the December 2025 FortiCloud SSO authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719), though it's unclear if current patches fully address this new threat activity.

Leadership Insights

Guardz 2025 SMB Cybersecurity Report Reveals Half of Small Businesses Already Breached

• Survey of 800 SMBs shows 50% have already experienced a cyber incident, with 61% believing future cyber risk will increase, while only 34% have a professionally built incident response plan in place.

• Human error remains the top vulnerability at 45% of identified weaknesses, followed by targeted cybercriminal attacks at 43% and outdated technologies at 42%, highlighting gaps that MSPs can address.

• Organizations with formal incident response plans achieved an 80% success rate in avoiding major damage, demonstrating the critical value of preparation and creating opportunities for MSPs to provide AI-powered security services to overwhelmed SMBs.

Barracuda Report Shows 78% of Organizations Experienced Email Security Breaches in Past Year

• Phishing attacks and business email compromise affected most victims, with 71% of email breach victims also experiencing ransomware attacks during the same period, highlighting the interconnected nature of email-based threats.

• Organizations face average recovery costs of $217,068 per breach, with smaller companies (50-100 employees) paying disproportionately more at $1,946 per employee compared to $243 per employee for larger firms (1,000-2,000 employees).

• Advanced evasion techniques create the biggest obstacle to rapid incident response according to 47% of victims, while 44% cite lack of automated incident response capabilities as a major barrier to effective threat containment.

Identity Security Outlook 2026: NHI Crisis and AI Adoption Gap

• North American enterprises now manage machine-to-human identity ratios of at least 100:1, with some sectors reaching 500:1, while only 12% have automated lifecycle management creating a massive governance gap.

• While 91% of organizations are piloting or using AI in IAM operations, only 7% have achieved organization-wide deployment, revealing a 22-point optimism gap between executive expectations and current outcomes.

• 76% of firms are consolidating or evaluating vendor unification to address fragmentation issues, with one in three organizations spending more time managing vendors than privileged users.

AI & Security

1Password Addresses AI Development Security Risks Through IDE Integration

• IDEsaster research identifies 30+ vulnerabilities across AI-powered IDEs where prompt injection can manipulate agents to leak credentials through untrusted project content like documentation and configuration files.

• AI-accelerated development creates expanded attack surfaces as credentials are often hardcoded into local files or exposed to language model context for convenience, turning speed gains into persistent security risks.

• 1Password's Cursor Hooks integration enforces just-in-time secret access where credentials remain in dedicated secret managers and are only injected at runtime after explicit user approval, maintaining developer velocity while preventing credential exposure.

Google Gemini Prompt Injection Flaw Exposed Private Calendar Data via Malicious Invites

• Researchers discovered a prompt injection vulnerability in Google Gemini that allowed attackers to bypass calendar privacy controls by embedding malicious natural language prompts within standard calendar invites.

• When users asked Gemini innocuous questions about their schedule, the AI would parse the hidden prompt and create new calendar events containing exfiltrated private meeting data, which could then be accessed by attackers in enterprise environments.

• The attack demonstrates how AI-native features can expand the attack surface, with vulnerabilities now existing in language and AI behavior rather than just traditional code, highlighting the need for organizations to audit AI workloads and authorization controls.

Check Point Discovers First Advanced AI-Generated Malware Framework Called VoidLink

• Check Point Research documented VoidLink as the first evidence-based case of a sophisticated malware framework authored almost entirely by artificial intelligence, reaching functional status in under a week through Spec Driven Development methodology.

• The framework employs advanced technologies including eBPF and LKM rootkits with dedicated modules for cloud enumeration and post-exploitation in container environments, demonstrating capabilities previously associated with well-resourced threat groups.

• OPSEC failures by the developer exposed development artifacts showing how a single individual used AI to plan, build, and iterate complex systems at unprecedented speed, normalizing high-complexity attacks that would typically require coordinated teams.

Market Intelligence

Rapid7 Partners with ARMO to Add Cloud Runtime Security to Command Platform

• Rapid7 has announced a strategic partnership with ARMO to integrate Cloud Application Detection & Response (CADR) capabilities into the Rapid7 Command Platform, providing real-time threat detection across cloud assets and workloads.

• The integration enables security teams to detect active threats in real time, correlate runtime events with misconfigurations and vulnerabilities, and respond instantly by isolating compromised workloads or terminating malicious processes.

• The new capability supports AWS, Azure, and multicloud environments as part of Exposure Command Ultimate, allowing organizations to move from reactive defense to preemptive response against modern cloud attacks.

Infoblox Acquires Axur to Expand Preemptive Security Against External Threats

• Infoblox plans to acquire Axur, a provider of AI-powered security solutions, to enhance its preemptive security capabilities against brand abuse, credential exposure, and external digital threats beyond traditional network perimeters.

• Axur's automated threat detection platform can notify phishing detections for takedown in under four minutes and achieves nearly 99 percent takedown success rates, using AI to discover, validate, and remove malicious infrastructure before it can be weaponized.

• The acquisition is expected to close in Spring 2026 subject to regulatory approvals, combining Infoblox's DNS-layer blocking capabilities with Axur's external threat disruption to reduce median attack uptime from days to hours.

Monnai Raises $12 Million for Identity and Risk Data Infrastructure

• California-based Monnai secured $12 million in funding led by Motive Partners, bringing total investment to $23 million for its AI-powered identity and risk data infrastructure that serves e-commerce, financial services, and fintech companies.

• The company processes tens of millions of transactions monthly through ultra-low-latency risk signals that help organizations with fraud prevention, streamline customer onboarding, and enable real-time credit decisioning using AI-based models.

• Monnai plans to use the investment to expand into Europe and Latin America while enhancing its core data infrastructure and growing its engineering and go-to-market teams to accelerate adoption among financial institutions and digital businesses.

Security Stack

Kiteworks HIPAA Compliance

HIPAA-compliant secure file sharing and collaboration platform for healthcare

ThreatMon AI

AI-powered threat intelligence platform with search, risk assessment & alerts

ZeroFox

External threat intelligence platform for surface, deep, and dark web monitoring

Thank you for reading this week's brief.

If you found this brief valuable, please forward it to one peer who is currently building or securing a B2B startup.

I’m constantly refining this intelligence for you. Was this week's market analysis useful?

Just hit Reply and let me know, I read every message.

P.S. Whenever you’re ready, there are two ways I can help you:

1. Founders: Need a Fractional CISO to unblock enterprise deals or lead your cybersecurity maturity journey? Book a Discovery Call
2. Vendors: Want to get your product in front of 15k+ security researchers on CybersecTools? Submit Your Product

Talk to you in the next one.

Nikoloz